!36 [sync] PR-35: pam_cgroups.so不生效

From: @openeuler-sync-bot Reviewed-by: @duguhaotian Signed-off-by: @duguhaotian
2023-11-08 02:59:46 +00:00 · 2023-11-08 02:59:46 +00:00 · b906977175
commit b906977175
parent 82a7cade65 b02dc82596
2 changed files with 37 additions and 1 deletions
--- a/libcgroup.spec
+++ b/libcgroup.spec
@ -5,7 +5,7 @@
 Summary: Libcgroup is a library that abstracts the control group file system in Linux
 Name: libcgroup
 Version: 0.42.2
-Release: 3
+Release: 4
 License: LGPLv2+
 URL: http://libcg.sourceforge.net/
 Source0: https://github.com/%{name}/%{name}/archive/v%{version}/%{name}-v%{version}.tar.gz
@ -18,6 +18,7 @@ Patch1: libcgroup-0.37-chmod.patch
 Patch2: libcgroup-0.40.rc1-coverity.patch
 Patch3: libcgroup-0.40.rc1-fread.patch
 Patch4: libcgroup-0.40.rc1-templates-fix.patch
+Patch5: pam-cgroup-cgflags-no-usecache.patch

 BuildRequires: autoconf, automake, libtool
 BuildRequires: gcc,gcc-c++,byacc
@ -50,6 +51,7 @@ It provides helpful information for libcgroup-pam,libcgroup-devel,libcgroup-tool
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1

 %build
 autoreconf -vif
@ -67,6 +69,7 @@ make DESTDIR=$RPM_BUILD_ROOT install
 install -d ${RPM_BUILD_ROOT}%{_sysconfdir}
 install -d ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
 install -m 644 samples/cgconfig.conf $RPM_BUILD_ROOT%{_sysconfdir}/cgconfig.conf
+install -m 644 samples/cgrules.conf $RPM_BUILD_ROOT%{_sysconfdir}/cgrules.conf
 install -m 644 samples/cgsnapshot_blacklist.conf $RPM_BUILD_ROOT%{_sysconfdir}/cgsnapshot_blacklist.conf

 # Only one pam_cgroup.so is needed
@ -108,6 +111,7 @@ getent group cgred >/dev/null || groupadd -r cgred
 %{_libdir}/libcgroup.so.*
 %config(noreplace) %{_sysconfdir}/cgsnapshot_blacklist.conf
 %config(noreplace) %{_sysconfdir}/cgconfig.conf
+%config(noreplace) %{_sysconfdir}/cgrules.conf
 /usr/bin/cgget
 /usr/bin/cgset
 /usr/bin/cgcreate
@ -138,6 +142,12 @@ getent group cgred >/dev/null || groupadd -r cgred
 %attr(0644, root, root) %{_mandir}/man8/*

 %changelog
+* Tue Oct 24 wanfeng<wanfeng@kylinos.cn> - 0.42.2-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:modify the mode of read rules for pam_cgroup
+
 * Thu Nov 3 wuzx<wuzx1226@qq.com> - 0.42.2-3
 - Type:feature
 - CVE:NA
--- a/pam-cgroup-cgflags-no-usecache.patch
+++ b/pam-cgroup-cgflags-no-usecache.patch
@ -0,0 +1,26 @@
+diff --git a/include/libcgroup/tasks.h b/include/libcgroup/tasks.h
+index aad438a..22f17d8 100644
+--- a/include/libcgroup/tasks.h
+++ b/include/libcgroup/tasks.h
+@@ -20,6 +20,8 @@ enum cgflags {
+ 	CGFLAG_USECACHE = 0x01,
+ 	/** Use cached templates, do not read templates from disk. */
+ 	CGFLAG_USE_TEMPLATE_CACHE = 0x02,
+	/** read rules from disk. */
+	CGFLAG_NOUSECACHE = 0x04,
+ };
+ 
+ /** Flags for cgroup_register_unchanged_process(). */
+diff --git a/src/pam/pam_cgroup.c b/src/pam/pam_cgroup.c
+index 1d78b81..fb427b4 100644
+--- a/src/pam/pam_cgroup.c
+++ b/src/pam/pam_cgroup.c
+@@ -138,7 +138,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags,
+ 	 * under what egid service will be provided?
+ 	 */
+ 	ret = cgroup_change_cgroup_uid_gid_flags(pwd->pw_uid,
+-		pwd->pw_gid, pid, CGFLAG_USECACHE);
+		pwd->pw_gid, pid, CGFLAG_NOUSECACHE);
+ 	if (ret) {
+ 		if (ctrl & PAM_DEBUG_ARG)
+ 			pam_syslog(pamh, LOG_ERR, "Change of cgroup for process"